Headscale
https://github.com/juanfont/headscale/
https://headscale.net
Пример headscale для docker swarm stack c доступом через traefik и ограничением по IP:
services:
headscale:
image: headscale/headscale:latest
entrypoint: headscale serve
volumes:
- /data/docker/headscale/config:/etc/headscale
- /data/docker/headscale/data:/var/lib/headscale
networks:
- traefik-public
deploy:
labels:
- traefik.enable=true
- traefik.swarm.network=traefik-public
- traefik.http.routers.headscale.rule=Host(`DOMAIN.COM`)
- traefik.http.routers.headscale.entrypoints=https
- traefik.http.routers.headscale.tls=true
- traefik.http.routers.headscale.tls.certresolver=le
- traefik.http.routers.headscale.middlewares=headscale-cors,headscale-ipallowlist
- traefik.http.routers.headscale.service=headscale
- traefik.http.middlewares.headscale-cors.headers.accessControlAllowMethods="GET,POST,PUT,PATCH,DELETE,OPTIONS"
- traefik.http.middlewares.headscale-cors.headers.accessControlAllowHeaders="Authorization,Content-Type"
- traefik.http.middlewares.headscale-cors.headers.accessControlAllowOriginList="https://DOMAIN.COM"
- traefik.http.middlewares.headscale-cors.headers.accessControlMaxAge=100
- traefik.http.middlewares.headscale-cors.headers.addVaryHeader=true
- traefik.http.middlewares.headscale-ipallowlist.ipallowlist.sourcerange=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
- traefik.http.services.headscale.loadbalancer.server.port=8080
networks:
traefik-public:
external: true
Команды
Сервер
headscale nodes list-routes #показать объявленные маршруты и их ноды
headscale nodes tag -i <NODE_ID> -t tag:<TAG1>,tag:<TAG2> #установить тэг для ноды
Создать API ключ для ступа к headscale, например через UI:
headscale apikeys create
Создать пользователя:
headscale users create user1
Создать многоразовый ключ пользователю истекающий через 24ч (для подключения нод пользователю user1):
USERID=$(headscale users list -n ${USERNAME} -o json | jq .[].id)
headscale preauthkeys --user ${USERID} create --reusable --expiration 24h
Зарегистрировать ноду на сервере, после получения ключа ноды:
headscale nodes register --user user1 --key W4D7f0Um2pJl2r0TX0FrFJ09
Клиент
--advertise-tags tag:<TAG> # добавить ноду как tagged-devices
--advertise-routes=10.0.0.0/8,192.168.0.0/24 # добавить ноду c объявленными маршрутами
Запросить ключ ноды для регистрации на сервере:
tailscale up --login-server=https://DOMAIN.COM --accept-dns=false --accept-routes
или сразу зарегистрировать клиента с указанем ключа пользователя:
tailscale up --login-server=https://DOMAIN.COM --auth-key=dc0018d10c5ec398a972cf060603be276fc602c9861850de --accept-dns=false --accept-routes
Показать маршруты:
ip route show table all oif tailscale0
#или
ip route show table 52
Отключить SNAT на клиенте предоставляющего подсети (только для linux):
tailscale up --snat-subnet-routes=false
https://tailscale.com/kb/1019/subnets#disable-snat
ACL
DERP
UI
https://headscale.net/stable/ref/integration/web-ui/
https://github.com/GoodiesHQ/headscale-admin
docker-compose.headscale-admin.yaml
docker-compose.headscale-admin.yaml
services:
headscale-admin:
image: goodieshq/headscale-admin:latest
container_name: headscale-admin
networks:
- traefik-public
restart: unless-stopped
deploy:
labels:
- traefik.enable=true
- traefik.swarm.network=traefik-public
- traefik.http.routers.headscale-admin.rule=Host(`DOMAIN.COM`) && PathPrefix(`/admin`)
- traefik.http.routers.headscale-admin.entrypoints=https
- traefik.http.routers.headscale-admin.tls=true
- traefik.http.routers.headscale-admin.tls.certresolver=le
- traefik.http.routers.headscale-admin.middlewares=headscale-ipallowlist
- traefik.http.services.headscale-admin.loadbalancer.server.port=80
networks:
traefik-public:
external: true
https://github.com/gurucomputing/headscale-ui
docker-compose.headscale-ui.yaml
docker-compose.headscale-ui.yaml
services:
headscale-ui:
image: ghcr.io/gurucomputing/headscale-ui:latest
container_name: headscale-ui
networks:
- traefik-public
restart: unless-stopped
deploy:
labels:
- traefik.enable=true
- traefik.swarm.network=traefik-public
- traefik.http.routers.headscale-ui.rule=Host(`DOMAIN.COM`) && PathPrefix(`/web`)
- traefik.http.routers.headscale-ui.entrypoints=https
- traefik.http.routers.headscale-ui.tls=true
- traefik.http.routers.headscale-ui.tls.certresolver=le
- traefik.http.routers.headscale-ui.middlewares=headscale-ipallowlist
- traefik.http.services.headscale-ui.loadbalancer.server.port=8080
networks:
traefik-public:
external: true
https://github.com/tale/headplane
docker-compose.headplane.yaml
docker-compose.headplane.yaml
services:
headplane:
image: ghcr.io/tale/headplane:latest
container_name: headplane
networks:
- traefik-public
restart: unless-stopped
volumes:
- /data/docker/headscale/headplane:/etc/headplane
- /data/docker/headscale/config:/etc/headscale
deploy:
labels:
- traefik.enable=true
- traefik.swarm.network=traefik-public
- traefik.http.routers.headscale-headplane.rule=Host(`DOMAIN.COM`) && PathPrefix(`/admin`)
- traefik.http.routers.headscale-headplane.entrypoints=https
- traefik.http.routers.headscale-headplane.tls=true
- traefik.http.routers.headscale-headplane.tls.certresolver=le
- traefik.http.routers.headscale-headplane.middlewares=headscale-ipallowlist
- traefik.http.services.headscale-headplane.loadbalancer.server.port=3000
networks:
traefik-public:
external: true
Ошибки
Warning: UDP GRO forwarding is suboptimally configured on eth1, UDP forwarding throughput capability will increase with a configuration change.
Решение:
ethtool -K $(ip -o route get 8.8.8.8 | cut -f 5 -d " ") rx-udp-gro-forwarding on rx-gro-list off
https://tailscale.com/s/ethtool-config-udp-gro
Ссылки